JP2018073245A - Inspection apparatus, inspection system, information processing apparatus, inspection method and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve accuracy of determining, from an outside of a predetermined apparatus, whether or not there is an unauthorized program in the apparatus.SOLUTION: An IVI apparatus 14 stores determination data based on data stored in an entire region of a memory of a peripheral device 16. The IVI apparatus 14 acquires, at a predetermined inspection timing, data stored in the entire region of the memory of the peripheral device 16 and derives inspection data on the basis of the data. If the IVI apparatus 14 determines, if the inspection data derived in the inspection timing is not matched with pre-stored determination data, that the peripheral device 16 is in an abnormal state.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a data processing technique, and more particularly to an inspection apparatus, an inspection system, an information processing apparatus, an inspection method, and a computer program.

  There has been proposed a program update system that verifies the validity of a program update executed on a vehicle (see, for example, Patent Document 1). In this program update system, the gateway transmits update data provided from the server to an ECU (Electronic Control Unit). The ECU calculates a digest value of the update control program included in the update data, and transmits the digest value to the gateway. The gateway sends the digest value to the server. And based on this digest value, a server determines whether the update of ECU was completed normally.

JP, 2015-103163, A

  In the technique described in Patent Document 1, when an unauthorized program exists in the ECU, even if the ECU is not updated correctly, the unauthorized program calculates the digest value of the update control program included in the update data, and the digest value. Is transmitted to the gateway, the server determines that the update of the ECU has been normally completed. That is, it may not be possible to correctly determine from the outside of the ECU such as a server that the ECU is operating with an unauthorized program (spoofing).

  The present invention has been made in view of the above problems, and has as its main object to improve the accuracy (in other words, accuracy) for determining the presence or absence of a malicious program in a predetermined device from the outside of the device.

  In order to solve the above-described problem, an inspection apparatus according to an aspect of the present invention includes a storage unit that stores determination data based on data stored in the entire area of the memory of the apparatus to be inspected, An acquisition unit that acquires data stored in the entire area of the memory of the apparatus, a derivation unit that derives inspection data based on the data acquired by the acquisition unit, inspection data derived by the derivation unit, and a storage unit And a determination unit that determines that the inspected apparatus is abnormal when the determination data stored in advance does not match.

  Another aspect of the present invention is an inspection system. This inspection system includes an inspection apparatus and an apparatus to be inspected. The data stored in the memory of the device to be inspected includes the data of a program that defines the operation of the device to be inspected, and data consisting of all 0s or 1s in a free area in which no program data is stored, or of a predetermined pattern. Data that is different from the data configured by repetition is set, and the inspected device is derived by the deriving unit that derives the inspection data based on the data stored in the entire area of the memory, and the deriving unit. A transmission unit that transmits the inspection data to the inspection device. The inspection apparatus determines that the inspected apparatus is abnormal when the storage unit that stores the determination data based on the data, the inspection data transmitted from the inspected apparatus, and the determination data stored in advance in the storage unit do not match. And a determination unit.

  Yet another embodiment of the present invention is an information processing apparatus. The apparatus includes: a generation unit that generates data stored in a memory of a device to be inspected for checking the normality of data stored in the memory; and an output unit that outputs data generated by the generation unit to an external device. . The data is different from the data of the program that defines the operation of the device to be inspected, and the data that is composed of all 0s or 1s in the empty area where the program data is not set, or the data that is composed of repeated predetermined patterns. Data is set.

  Yet another embodiment of the present invention is an inspection method. In this method, an inspection apparatus that inspects the normality of an inspected apparatus using determination data stored in advance acquires and stores data stored in the entire area of the memory of the inspected apparatus at a predetermined inspection timing. Inspection data is derived based on the obtained data, and the inspected apparatus is determined to be abnormal when the derived inspection data and the determination data stored in advance do not match.

  Note that any combination of the above components, the expression of the present invention converted between a computer program, a recording medium on which the computer program is recorded, a vehicle equipped with the present apparatus, and the like are also effective as an aspect of the present invention. It is.

  According to the present invention, it is possible to improve the accuracy (in other words, accuracy) for determining the presence or absence of a malicious program in a predetermined device from the outside of the device.

It is a figure which shows the structure of the test | inspection system of 1st Example. It is a figure which shows the hardware constitutions of the peripheral device of FIG. It is a block diagram which shows the function structure of the peripheral device of FIG. It is a figure which shows the hardware constitutions of the IVI apparatus of FIG. It is a block diagram which shows the function structure of the IVI apparatus of FIG. It is a flowchart which shows operation | movement of an IVI apparatus. FIGS. 7A to 7C are diagrams schematically showing data stored in the ROM of the device to be inspected. It is a block diagram which shows the function structure of the update data generation apparatus of 2nd Example. It is a flowchart which shows operation | movement of an update data generation apparatus. FIGS. 10A to 10C are diagrams schematically showing the structure of data stored in the ROM of the device under test. FIGS. 11A to 11D are diagrams schematically showing a method of reading data stored in the ROM of the device under test. It is a flowchart which shows operation | movement of the IVI apparatus which gave the response waiting time limit. FIGS. 13A and 13B are diagrams schematically showing a configuration of update data stored in the ROM of the peripheral device in the second modification. It is a figure which shows typically the structure of a challenge response type data transmission / reception.

(First embodiment)
Before describing the configuration of the first embodiment in detail, an outline of the first embodiment will be described.
Many electronic devices are mounted on the vehicle, and many ECUs for controlling these electronic devices are mounted. Some ECUs have weak security capabilities and do not have a secure boot function or a falsification detection function to prevent detection and operation of an illegally falsified program. In other words, there are ECUs that cannot guarantee self-correctness. In the future, as further improvement in information security in vehicles is required, the legitimacy of an ECU that cannot guarantee self-validity (an ECU to be inspected, hereinafter also referred to as “device to be inspected”) is external to the ECU. It is necessary to confirm with an apparatus (hereinafter also referred to as “inspection apparatus”). The inspection device is a device that can guarantee self-correctness.

  As described above, in the method of judging the validity of the device to be inspected based on the digest value generated by the device to be inspected according to a predetermined rule, the validity of the digest value is confirmed by a program that guarantees the validity. Unless determined, the judgment result is not necessarily correct. For example, if a malicious program that has entered a device under test generates a digest value indicating that the device under test is normal or records it in advance and returns it, the test device will determine that the device under test is normal. is there. Therefore, the inspection apparatus according to the first embodiment obtains data stored in all areas of the memory of the inspected apparatus (in other words, all data stored in the memory), and normality of the inspected apparatus based on the data. Determine.

  Specifically, the inspection apparatus according to the first embodiment stores in advance determination data as an expected value generated in advance based on data that should be originally stored in all areas of the memory of the apparatus to be inspected. The inspection apparatus acquires data stored in the entire area of the memory of the inspected apparatus at the inspection timing, and derives new inspection data based on the acquired data. The inspection apparatus determines that the inspected apparatus is abnormal if the new inspection data does not match the determination data as the expected value stored in advance.

  The determination data and the inspection data in the embodiment are hash values generated by a hash function, but are not limited thereto. For example, the determination data and the inspection data may be a cryptographic MAC value generated by a MAC (Message Authentication Code) function or a CRC value generated by a predetermined generator polynomial.

  FIG. 1 shows a configuration of an inspection system 10 according to the first embodiment. The inspection system 10 includes an IVI (In-Vehicle Infotainment) device 14 and a peripheral device 16 mounted on the vehicle 12. The IVI device 14 and the peripheral device 16 are connected via an in-vehicle network 18. The in-vehicle network 18 may be a CAN (Controller Area Network), a CAN FD (CAN with Flexible Data rate), or an Ethernet (registered trademark).

  The peripheral device 16 is the above-described inspected device that cannot guarantee self-correctness. The peripheral device 16 may be a meter, a head-up display, or the like, for example. The IVI device 14 is the above-described inspection device that inspects the peripheral device 16 and is an inspection device that can ensure self-validity. The IVI device 14 can be said to be a next-generation in-vehicle information communication device, and is a device capable of executing relatively advanced information processing including a car navigation system and a car audio. The IVI device 14 has at least a hash function (such as SHA-1) or a MAC value (such as AES-CMAC). On the other hand, the computing capability of the peripheral device 16 is lower than that of the IVI device 14 and does not have cryptographic hardware for computing a hash function, so that software computation takes time and hinders communication responsiveness.

  The inspection system 10 further includes an update data generation device 20 that is an information processing device such as a PC. The update data generation device 20 generates update data including a program that defines the operation of the peripheral device 16 and is stored in a memory (ROM described later) of the peripheral device 16. The size of the update data is set to the size of the memory of the peripheral device 16 (in the embodiment, the size of the storage area of the ROM).

  In addition, the update data generation device 20 generates a hash value of the update data (a result having a size determined by the hash calculation method) according to a predetermined hash function. This hash value can also be called determination data, and is stored in the memory of the IVI device 14. Similarly, the update data and the update data size are stored in the memory of the IVI device 14. It may be provided to the IVI device 14 via a server (not shown). The update data may be introduced into the IVI device 14 via a predetermined recording medium such as a USB memory. The update data, the hash value of the update data, and the update data size may also be introduced into the IVI device 14 by these means. At least the update data among the update data, the hash value of the update data, and the update data size is written to the peripheral device 16 via the IVI device 14.

  FIG. 2 shows a hardware configuration of the peripheral device 16 of FIG. The peripheral device 16 includes an ECU 30. The ECU 30 includes a CPU 32, a RAM 34, a ROM 36, and a communication IF 38. The ROM 36 stores the update data of FIG. 1, and the normality of the stored data is confirmed by the IVI device 14. The ROM 36 is a rewritable ROM, and may be, for example, an EEPROM or a flash memory. Typically, the size of the ROM 36 is about several megabytes to 10 megabytes. The communication IF 38 is connected to the IVI device 14 via the in-vehicle network 18.

  FIG. 3 is a block diagram showing a functional configuration of the peripheral device 16 of FIG. The peripheral device 16 includes a receiving unit 40, a processing unit 42, and a transmitting unit 44. Each block shown in the block diagram of the present specification can be realized in terms of hardware by an element such as a CPU / memory of a computer or a mechanical device, and in terms of software, it can be realized by a computer program or the like. Then, the functional block realized by those cooperation is drawn. Those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.

  For example, a computer program including a module corresponding to each block in FIG. 3 may be stored in the ROM 36 of the peripheral device 16. The CPU 32 of the peripheral device 16 may exhibit the function of each block by appropriately reading out the binary data of the computer program from the ROM 36 to the RAM 34 and executing it.

  The receiving unit 40 receives command data transmitted from an external device (for example, the IVI device 14) via the in-vehicle network 18. The processing unit 42 performs data processing according to the command data received by the receiving unit 40. The transmission unit 44 transmits response data regarding the data processing result by the processing unit 42 to the external device that is the command data transmission source.

  The processing unit 42 includes a ROM updating unit 46 and a ROM reading unit 48. The ROM update unit 46 writes the update data received together with the ROM update command into the ROM 36 according to the ROM update command. Note that the ROM update unit 46 may read update data from the IVI device 14 via the in-vehicle network 18 and overwrite-store it in the ROM 36 when a ROM update command is input from the IVI device 14.

  In accordance with the ROM read command, the ROM reading unit 48 reads data having the size specified by the command from the ROM address specified by the command. The transmission unit 44 transmits the ROM data read by the ROM reading unit 48 to the device (IVI device 14 in the embodiment) that is the transmission source of the ROM read command.

  FIG. 4 shows a hardware configuration of the IVI device 14 of FIG. The IVI device 14 includes an ECU 50. The ECU 50 includes a CPU 52, a RAM 54, a ROM 56, and a communication IF 58. The size of the RAM 54 is equal to or larger than the size of the ROM 36 of the peripheral device 16 (for example, 512 MB) so that all data in the ROM 36 of the peripheral device 16 can be expanded. The communication IF 58 is connected to the peripheral device 16 via the in-vehicle network 18.

  FIG. 5 is a block diagram showing a functional configuration of the IVI device 14 of FIG. The IVI device 14 includes a size storage unit 60, a hash value storage unit 62, a ROM data storage unit 64, a ROM data acquisition unit 70, a hash value derivation unit 72, a state determination unit 74, a determination result output unit 76, and a self-validity verification unit. 77, a command transmission unit 78, and a response reception unit 79.

  A computer program including a module corresponding to each block in FIG. 5 may be stored in a recording medium and installed in the ROM 56 of the IVI device 14 via the recording medium. The CPU 52 of the IVI device 14 may perform the function of each block by appropriately reading out and executing the computer program stored in the ROM 56 into the RAM 54. The self-validity verification unit 77 executes predetermined processing for ensuring the validity of the program of the IVI device 14.

  The size storage unit 60 is a storage area for storing data indicating the size of the ROM 36 that is a memory to be inspected in the peripheral device 16. The hash value storage unit 62 is a storage area for storing a hash value of data (the update data described above) stored in the ROM 36 of the peripheral device 16. As described above, the update data has the size of the ROM 36 of the peripheral device 16. Therefore, the hash value storage unit 62 is a hash value of data stored in the entire area of the ROM 36 of the peripheral device 16, and stores the expected value of the hash value when there is no unauthorized program or alteration in the ROM 36 of the peripheral device 16. To do.

  The ROM data storage unit 64 is a storage area for storing ROM data that is storage data of the ROM 36 acquired from the peripheral device 16. The ROM data is data having the size of the ROM 36 of the peripheral device 16 and is actually stored in the ROM 36 at the time of inspection. The size storage unit 60 and the hash value storage unit 62 may be realized by the ROM 56, and the ROM data storage unit 64 may be realized by the RAM 54. The ROM data storage unit 64 may be included in the ROM data acquisition unit 70.

  The size storage unit 60 acquires and stores data indicating the size of the ROM 36 of the peripheral device 16 from a predetermined server or an external device such as the update data generation device 20.

  The hash value storage unit 62 acquires and stores a hash value (also referred to as determination data) of update data in the ROM 36 from a predetermined server or an external device such as the update data generation device 20. The hash value may be read from a recording medium such as a USB memory connected to the IVI device 14 and stored.

  The ROM data acquisition unit 70 acquires data stored in the entire area of the memory of the inspected device when a predetermined inspection timing is reached. The inspection timing may be immediately before or immediately after the update of data stored in the ROM 36 of the peripheral device 16 (immediately before or after reprogramming). It may also be when the ignition is switched from off to on in the vehicle 12 (typically when the engine or motor is started). Furthermore, the inspection timing may be when an external device accesses the peripheral device 16 (ECU 30). Further, the inspection timing may be a predetermined date or time, or may be regular such as once a day, once a week, or the like. In this case, the IVI device 14 needs to have the correct time synchronized with the date / time information with a guaranteed validity transmitted by communication or broadcasting. The self-validity verification unit 77 may execute a predetermined process for ensuring the correctness of the date and time. Further, the inspection timing may be a case where an abnormality of the peripheral device 16 is detected by a predetermined device or user.

  The update data, hash value, and update data size may be given a signature by the update data generation device 20, and signature verification may be performed when introduced into the IVI device 14 to detect tampering between communications. .

  The command transmission unit 78 transmits commands instructing various data processing to the peripheral device 16. The response receiving unit 79 receives a result of data processing corresponding to the command from the peripheral device 16 as a response of the peripheral device 16 to the command. The ROM data acquisition unit 70 transmits a ROM read command to the peripheral device 16 via the command transmission unit 78. Further, the ROM data acquisition unit 70 is a response of the peripheral device 16 to the ROM read command via the response reception unit 79 and acquires data stored in the ROM 36 of the peripheral device 16.

  The ROM data acquisition unit 70 according to the embodiment acquires data stored in the entire area of the ROM 36 of the peripheral device 16 as ROM data. The ROM data acquisition unit 70 stores the acquired ROM data in the ROM data storage unit 64. The ROM data acquisition unit 70 may request the peripheral device 16 for a memory dump of the ROM 36 and acquire the memory dump data of the ROM 36 from the peripheral device 16. In this case, the ROM data acquisition unit 70 may develop ROM data (an image of the ROM 36) in the local RAM 54 based on the memory dump data. The ROM data acquisition unit 70 may acquire the data stored in the entire area of the ROM 36 by repeating the acquisition of data stored in a partial area of the ROM 36 of the peripheral device 16 a plurality of times.

  The hash value deriving unit 72 derives the hash value (also referred to as inspection data) of the ROM data stored in the ROM data storage unit 64 when the ROM data acquisition by the ROM data acquisition unit 70 is completed. For example, the hash value deriving unit 72 may derive the hash value output from the hash function by inputting the ROM data to a predetermined hash function such as SHA-1. The hash function used by the hash value deriving unit 72 for the ROM data is the same as the hash function used by the update data generation device 20 for the update data.

  The state determination unit 74 collates the hash value derived by the hash value deriving unit 72 with the hash value stored in the hash value storage unit 62 in advance. The state determination unit 74 determines that the peripheral device 16 (or data stored in the ROM 36) is normal if the two match, and determines that the peripheral device 16 (or data stored in the ROM 36) is abnormal if the two do not match.

  The determination result output unit 76 performs predetermined post-processing based on the determination result by the state determination unit 74. In the embodiment, the determination result output unit 76 outputs data indicating the determination result to a predetermined external device. For example, the determination result output unit 76 may transmit data indicating that the peripheral device 16 is normal or abnormal to a predetermined server. Further, the determination result output unit 76 may store data indicating the determination result by the state determination unit 74 in a predetermined storage unit. The determination result output unit 76 may execute predetermined post-processing such as alert output only when the determination result indicates abnormality of the peripheral device 16.

The operation of the IVI device 14 of the first embodiment having the above configuration will be described.
FIG. 6 is a flowchart showing the operation of the IVI device 14. Although not shown, the size storage unit 60 stores data indicating the size of the ROM 36 of the peripheral device 16 in advance. The hash value storage unit 62 stores in advance the hash value of the update data stored in the ROM 36 of the peripheral device 16 (that is, the expected value of the hash value when the peripheral device 16 is normal). The CPU waits until the predetermined inspection timing is reached (N in S10). When the predetermined inspection timing is reached (Y in S10), the ROM data acquisition unit 70 stores an area for the size of the ROM 36 of the peripheral device 16 in the RAM 54. The ROM data storage unit 64 is secured (S12).

  The ROM data acquisition unit 70 determines the read address and read size of data in the ROM 36 of the peripheral device 16 (S14, S16). The ROM data acquisition unit 70 transmits to the peripheral device 16 a ROM read command for instructing to read data of the size determined in S16 from the address determined in S14 (S18). The ROM data acquisition unit 70 acquires the data stored in the ROM 36 from the peripheral device 16 as a response to the ROM read command, and stores it in the ROM data storage unit 64 (S20). If a part of the data stored in the ROM 36 is not acquired (N in S22), the process returns to S14 to acquire the unacquired data.

  When the acquisition of the data stored in the entire area of the ROM 36 is completed (Y in S22), the hash value deriving unit 72 inputs the ROM data stored in the ROM data storage unit 64 to a predetermined hash function, and the ROM data Is obtained (S24). The state determination unit 74 compares the hash value acquired in S24 with the hash value stored in advance in the hash value storage unit 62. The state determination unit 74 determines that the peripheral device 16 is normal if they match (Y in S26) (S28), and if they do not match (N in S26), determines that the peripheral device 16 is abnormal (S26). S30). The determination result output unit 76 performs post-processing based on the determination result (S32).

  According to the IVI device 14 of the first embodiment, the normality of the peripheral device 16 is determined based on the data of the entire area of the ROM 36 of the peripheral device 16. If there is an unauthorized program in the ROM 36 of the peripheral device 16, the hash value based on the acquired data of all areas does not match the expected value, so the IVI device 14 can determine that the peripheral device 16 is abnormal. In addition, the malicious program in the ROM 36 eliminates room for a work area for generating and returning normal ROM data, and it is easy to prevent spoofing by the malicious program.

(Second embodiment)
The second embodiment shows a technique for further improving the accuracy (in other words, accuracy or completeness) by which the IVI device 14 determines whether there is a malicious program in the peripheral device 16.

  FIGS. 7A to 7C schematically show data stored in the ROM of the device to be inspected. FIG. 7A shows a conventional data structure stored in the ROM. The storage area of the ROM is divided into a program area 80 that is an area in which a program that defines the operation of the device to be inspected is stored and an empty area 82 that is an area in which no program is stored (in other words, an unused area). In the empty area 82, a predetermined value indicating an empty area is usually set. For example, an all-zero bit string may be set in the empty area 82, and an all-one bit string may be set.

  FIG. 7B shows an example in which an attack program (in other words, an unauthorized program) exists in the ROM of the device under test. Assume that the attacker knows that the empty area 82 is an all-zero bit string. The attacker stores the attack program 1 in the program area 80 while saving the address data of the attack program 1 in the free area 82, and further stores the attack program 2 in the free area 82. When a memory dump of the storage area (program area 80) of the attack program 1 is requested, the attack program 1 returns saved data. When a memory dump of the free area 82 is requested, the attack program 1 returns the data of the all 0 bit string corresponding to the free area 82 as data of the free area 82. As a result, it becomes difficult for the inspection device to detect the presence of an attack program in the ROM of the device under inspection.

  FIG. 7C shows a data structure stored in the ROM in the second embodiment. In the second embodiment, the configuration of original data (that is, update data) initially stored in the ROM of the device to be inspected is one feature. Specifically, data different from the data normally set for the empty area is set in the empty area 82 other than the program area 80 in the original data. In other words, data different from the regular data indicating the free area is set in the free area 82. That is, data different from data composed entirely of 0 or 1 or data composed of a predetermined pattern is set in the empty area 82. In the second embodiment, a random number sequence that is data having no regularity and / or data that is difficult to be algorithmized is set in the empty area 82.

  The configurations of the inspection system 10, the IVI device 14, and the peripheral device 16 in the second embodiment are the same as those in the first embodiment. Hereinafter, the configuration of the update data generation device 20 will be described in detail as a configuration different from the first embodiment.

  FIG. 8 is a block diagram illustrating a functional configuration of the update data generation device 20 according to the second embodiment. The update data generation device 20 includes a size storage unit 106, a program storage unit 108, a random number generation unit 114, a ROM binary generation unit 116, an update data generation unit 118, and a hash value derivation unit 120.

  A computer program including a module corresponding to each block in FIG. 8 may be stored in a recording medium and installed in the storage of the update data generation device 20 via the recording medium. The CPU of the update data generation device 20 may perform the function of each block by appropriately reading and executing a computer program stored in the storage into the main memory. The size storage unit 106 and the program storage unit 108 of FIG. 8 may be realized by storing data in the storage or memory of the update data generation device 20.

  The size storage unit 106 corresponds to the size storage unit 60 of the IVI device 14 and stores data indicating the size of the ROM 36 that is a memory to be inspected in the peripheral device 16. The program storage unit 108 is a program that defines the operation of the peripheral device 16, and stores data of one or more programs to be executed by the peripheral device 16. In the embodiment, compiled binary code that can be executed by the peripheral device 16 is stored. However, as a modified example, source code is stored, and a ROM binary generation unit 116 and the like to be described later can be appropriately executed by the peripheral device 16. You may compile.

  The size data stored in the size storage unit 106 and the program data stored in the program storage unit 108 are generated by the program creator of the peripheral device 16 based on the hardware specifications and updated data is generated. You may register with the apparatus 20.

  The random number generation unit 114 generates a random number. The random number here may not be a true random number in a mathematical sense. For example, it may be a pseudo random number such as a hardware random number using a hardware random number generator or a software random number using a random number generation algorithm in which a random number seed value is appropriately set so that the random number is not reproducible.

  The ROM binary generation unit 116 generates ROM binary that is data in which one or more programs stored in the program storage unit 108 are collected. The ROM binary may include data defining the execution order of one or more programs, or may include management data in a predetermined format in the ROM 36 of the peripheral device 16.

  The update data generation unit 118 is data having the size of the ROM 36 of the peripheral device 16 and generates update data that is data stored in the ROM 36. As shown in FIG. 7C, the update data generation unit 118 sets the ROM binary generated by the ROM binary generation unit 116 as a part of the update data. Further, the update data generation unit 118 sets the random number sequence generated by the random number generation unit 114 in the empty area 82 in which the ROM binary in the update data is not set.

  The hash value derivation unit 120 acquires the hash value of the update data generated by the update data generation unit 118. For example, the hash value deriving unit 120 may obtain the hash value output from the hash function by inputting the update data to a predetermined hash function such as SHA-1.

  The update data generation unit 118 outputs the generated update data and update data size information to a predetermined external device. For example, the update data generation unit 118 may transmit a ROM update command including update data to the peripheral device 16 and store the update data in the ROM 36 of the peripheral device 16. Further, the update data generation unit 118 may transmit the update data and the update data size information to the IVI device 14 so that the update data is registered in the ROM 36 of the peripheral device 16 from the IVI device 14. Further, the update data generation unit 118 may register the update data and the update data size information with respect to a predetermined server that provides the update data to the peripheral device 16 and provides the update data size information to the IVI device 14. . In addition, the update data generation unit 118 may output update data and update data size information to a predetermined recording medium such as a USB memory in accordance with a user instruction.

  The hash value deriving unit 120 outputs the derived hash value to a predetermined external device. For example, the hash value deriving unit 120 may transmit the hash value to the IVI device 14 and store it in the ROM 56. The hash value deriving unit 120 may register the hash value with a predetermined server that provides the hash value to the IVI device 14. Further, the hash value deriving unit 120 may output the hash value to a predetermined recording medium such as a USB memory in accordance with a user instruction. As described above, the hash value of the update data is stored in the hash value storage unit 62 of the IVI device 14 and is referred to when determining the normality of the peripheral device 16.

The operation of the update data generation device 20 having the above configuration will be described.
FIG. 9 is a flowchart showing the operation of the update data generation device 20. Although not shown, the size storage unit 106 stores data indicating the size of the ROM 36 of the peripheral device 16 in advance. The program storage unit 108 is a program that determines the operation of the peripheral device 16, and stores a program to be included in the update data in advance. At a timing at which update data is to be generated, such as when an update data generation instruction is input from the user, the update data generation unit 118 stores a storage area (here, “update data area”) of the size of the ROM 36 of the peripheral device 16. Is stored in a memory (RAM or the like) (S42).

  The random number generation unit 114 generates a random number, and the update data generation unit 118 sets the random number sequence generated by the random number generation unit 114 in all areas of the update data area (S44). The ROM binary generation unit 116 generates a ROM binary including the program held in the program storage unit 108 (S46). The update data generation unit 118 generates update data by overwriting and storing the ROM binary in at least a partial area of the update data area in which the random number sequence is set (S48). As a result, update data having the configuration shown in FIG. 7C is generated. The update data generation unit 118 transmits the update data to a predetermined external device (S50). The update data generated by the update data generation device 20 is finally stored in the ROM 36 of the peripheral device 16.

  The hash value deriving unit 120 acquires the hash value of the update data (S52). The hash value deriving unit 120 transmits the hash value of the update data to a predetermined external device (S54). The hash value generated by the update data generation device 20 is finally stored in the hash value storage unit 62 of the IVI device 14.

  In the second embodiment, a random number sequence is set in the empty area in the ROM 36 of the peripheral device 16 to be inspected. As a result, when an illegal program existing in the ROM 36 requests a memory dump of an empty area, it cannot be spoofed by simply returning a bit string of 0. In addition, since it is difficult to algorithmize a random number sequence, it is difficult to create a malicious program having a size smaller than the random number sequence. Furthermore, the random number sequence has high entropy and generally has a low data compression ratio (in other words, compression efficiency). For this reason, it is possible to make it difficult to place the original data of the program area 80 or the illegal program in the empty area of the ROM 36 after the empty area is compressed.

  In the second embodiment, the random number sequence is set in the free area of the ROM 36 of the peripheral device 16, but the data set in the free area is not limited to the random number sequence. As described above, the data to be set in the free space may be data different from data composed entirely of 0 or 1 or data composed of repeated predetermined patterns. The data set in the free area is more preferably data that is difficult to algorithmize and / or has high entropy. As an example of such data, the compressed data may be set in a free area of the ROM 36 of the peripheral device 16. In other words, the update data generation device 20 may set a bit string of compressed data instead of a random number string in an empty area that does not include program data in the update data. The compressed data may be, for example, JPEG data relating to a predetermined image, or data obtained by compressing data (program data) set in the program area 80 of update data. This modification also has the same effect as the second embodiment.

(Third embodiment)
The third embodiment shows a technique for further improving the accuracy (in other words, accuracy or completeness) by which the IVI device 14 determines whether there is a malicious program in the peripheral device 16.

  FIGS. 10A to 10C schematically show the structure of data stored in the ROM of the device under inspection. ROM binaries stored in the ROM of the device under test can generally be compressed to a size of up to 60%. FIG. 10A shows a state before compression. FIG. 10 (b) shows a state after compression, and the area freed by compressing the ROM binary (data in the program area 80) is indicated by hatching with hatching. As shown in FIG. 10C, the attacker may set up the attack program 1 in an empty area by compressing the ROM binary. When the attack program 1 receives a memory dump request for the program area 80, the attack program 1 decompresses the compressed data of the ROM binary and returns the decompressed ROM binary. As a result, it becomes difficult for the inspection device to detect the presence of the attack program 1 in the ROM of the device under inspection.

  Therefore, the inspection apparatus of the third embodiment limits the time by waiting for a response from the apparatus to be inspected or by shortening it. That is, the response delay caused by decompressing the compressed data as described above is not allowed. Furthermore, the inspection apparatus of the third embodiment randomly determines at least one of the read address and the read size of the data stored in the ROM of the inspected apparatus.

  FIGS. 11A to 11D schematically show a method of reading data stored in the ROM of the device under test (in the embodiment, the ROM 36 of the peripheral device 16). In the figure, 1st to 5th indicate the order of data reading.

  FIG. 11A schematically shows sequential fixed-length reading, which is the first reading method. In sequential fixed-length reading, fixed-size data is sequentially read from the leading address of the ROM 36. For example, in the first embodiment and the second embodiment, sequential fixed length reading may be applied.

  FIG. 11B schematically shows random size reading which is the second reading method. In random size reading, data of a randomly determined size is sequentially read from the head address of the ROM 36. For example, a random number may be dynamically generated each time reading is performed, and the read size may be determined based on the generated random number.

  FIG. 11C schematically shows random address fixed length reading which is the third reading method. In the random address fixed length reading, data of a fixed size is read from the address of the ROM 36 determined at random.

  FIG. 11D schematically shows random address / random size reading which is the fourth reading method. In the random address / random size reading, data of a randomly determined size is read from the address of the ROM 36 determined at random. In the third embodiment, random address / random size reading is applied, but as a modification, random size reading or random address fixed length reading may be applied.

  In random address fixed length reading and random address / random size reading, duplication of read areas may be allowed, or duplication may be eliminated. In the case where the reading area is allowed to be overlapped, in the random address fixed-length reading, as shown in FIG. 11C, the second reading area and the fifth reading area may overlap. In random address / random size reading, as shown in FIG. 11 (d), a part of the third reading area (shaded area with diagonal lines) and the fifth reading area (shaded with vertical lines). Part of (region) may overlap.

  The functional blocks of the IVI device 14 of the third embodiment are the same as those of the first embodiment (FIG. 5). Hereinafter, with respect to the configuration of the IVI apparatus 14 of the third embodiment, the contents already described in the first embodiment or the second embodiment are omitted as appropriate, and differences from the above embodiment will be mainly described.

  The ROM data acquisition unit 70 acquires ROM data that is data stored in the entire area of the ROM 36 by repeating the process of acquiring data stored in a partial area of the ROM 36 of the peripheral device 16 a plurality of times. The ROM data acquisition unit 70 randomly determines a read address specified for each of a plurality of times of data acquisition, and also randomly determines a read address specified for each of a plurality of times of data acquisition. For example, the ROM data acquisition unit 70 includes a random number generation unit corresponding to the random number generation unit 114 of the update data generation device 20, and based on the random number value generated by the random number generation unit, both the read address and the read size are obtained. You may determine to a value without regularity.

  The state determination unit 74 monitors the response time, which is the time from when the ROM data acquisition unit 70 transmits the ROM read command to the peripheral device 16 until the data stored in the ROM 36 of the peripheral device 16 is provided. When the response time to the ROM read command exceeds a threshold value (hereinafter also referred to as “latency threshold value”) corresponding to the read size set in the ROM read command, the state determination unit 74 determines that the peripheral device 16 is abnormal. judge.

  The state determination unit 74 according to the embodiment determines a waiting time threshold based on the read size and the communication speed between the IVI device 14 and the peripheral device 16. For example, when the read size is 100 Kbytes and the communication speed of the in-vehicle network 18 is 500 Kbps (CAN), 1.6 seconds of the read size / communication speed may be determined as the waiting time threshold value.

The operation of the IVI device 14 of the third embodiment having the above configuration will be described.
FIG. 12 is a flowchart corresponding to FIG. 6 and showing the operation of the IVI device 14. S60 and S62 in the figure are the same as S10 and S12 in FIG. The ROM data acquisition unit 70 randomly determines a read address based on the first random number value (S64), randomly determines a read size based on the second random number value acquired separately (S66), and reads the read size. The waiting time threshold is determined according to the communication speed (S68). The ROM data acquisition unit 70 transmits a ROM read command designating a read address and a read size to the peripheral device 16 (S70).

  If the response time until the ROM data is received from the peripheral device 16 after transmitting the ROM read command exceeds the waiting time threshold (Y in S72), the state determination unit 74 determines that the peripheral device is abnormal (S84). . If the response time exceeds the waiting time threshold in the middle of multiple data acquisitions, subsequent data acquisition may be skipped. If the response time of the peripheral device 16 is equal to or less than the waiting time threshold (N in S72), the process proceeds to S74. Since the process of S74-S86 is the same as the process of S20-S32 of FIG. 6, description is abbreviate | omitted.

  According to the IVI device 14 of the third embodiment, as described with reference to FIGS. 10A, 10B, and 10C, an attack program that expands and returns a compressed ROM binary at the time of memory dump is a peripheral device. Even in the 16 ROMs 36, it is easy to detect an abnormality of the peripheral device 16. Specifically, it takes a certain amount of time to decompress the compressed data. By providing a waiting time threshold corresponding to the read size, an abnormality of the peripheral device 16 (for example, there is a high possibility that an attack program exists in the ROM 36). ) Can be detected by exceeding the waiting time threshold.

  Further, the IVI device 14 of the third embodiment reads out the data stored in the ROM 36 of the peripheral device 16 by a random size from a random position. When an attack program in the ROM 36 compresses a regular ROM binary, it is difficult to secure a memory for reading random size data from a random position, so it is difficult to return the regular data by decompressing the ROM binary. it can. In addition, the process of reading out random size data from a random address while decompressing the compressed data generally requires time, so that it is easy to detect an abnormality in the peripheral device 16 when the waiting time threshold is exceeded.

  The present invention has been described based on the first to third embodiments. Those skilled in the art will understand that these embodiments are exemplifications, and that various modifications can be made to each component or combination of each treatment process, and such modifications are within the scope of the present invention. is there.

  A first modification will be described. In the third embodiment, random address / random size reading is applied as a method of reading the ROM data of the peripheral device 16. As a modification, the random size reading described in FIG. 11B may be applied, or the random address fixed length reading described in FIG. 11C may be applied. Whichever method is applied, the attack program existing in the ROM 36 of the peripheral device 16 returns the correct data corresponding to the random designated address or the random designated size while expanding the compressed data of the ROM binary. Can be difficult. In addition, it can be made more difficult to return correct data within the time limit.

  A second modification will be described. FIGS. 13A and 13B schematically show the configuration of update data stored in the ROM 36 of the peripheral device 16 in the second modification. FIG. 13A shows an example in which a plurality of update data is stored in the ROM 36. The update data generation device 20 derives the data size and hash value for each combination of ROM binary and random number sequence (that is, update data), and the IVI device 14 stores the data size and hash value derived for the update data unit. May be. For each of the plurality of update data, the IVI device 14 may acquire data for the size of the update data from the peripheral device 16 and compare the hash value of the acquired data with the hash value of the update data.

  FIG. 13B shows an example in which a plurality of ROM binaries are included in one update data. The update data generation device 20 may derive the data size and hash value of update data including a plurality of ROM binaries, and the IVI device 14 may store the data size and hash value of the update data. The IVI device 14 may acquire data for the size of the update data from the peripheral device 16 and compare the hash value of the acquired data with the hash value of the update data.

  A third modification will be described. The IVI device 14 and the peripheral device 16 may send and receive data in a challenge / response manner. FIG. 14 schematically shows a configuration of challenge / response data transmission / reception. The IVI device 14 and the peripheral device 16 store a key K that is a common key. In addition, the IVI device 14 stores a hash value H that is an expected value of ROM data of the peripheral device 16. Further, in the entire area of the ROM 36 of the peripheral device 16, update data including the ROM binary and the random number sequence is initially stored as in the second embodiment.

  The IVI device 14 of this modification includes a challenge transmission unit and a state determination unit. The challenge transmission unit corresponds to the ROM data acquisition unit 70 of the embodiment, and the state determination unit corresponds to the state determination unit 74 of the embodiment. In addition, the peripheral device 16 of this modification includes a hash value deriving unit and a response transmitting unit. The hash value deriving unit corresponds to the hash value deriving unit 72 of the embodiment.

  The challenge transmission unit of the IVI device 14 dynamically determines a random value using a predetermined random number generator at the inspection timing, and transmits a challenge C based on the random value to the peripheral device 16. The challenge C may be a random value itself. The hash value deriving unit of the peripheral device 16 inputs the ROM data (that is, the ROM binary and random number sequence stored in the entire area of the ROM 36) to a predetermined hash function, and acquires the hash value of the ROM data. The response transmission unit of the peripheral device 16 encrypts data obtained by connecting the challenge and the hash value according to a predetermined rule based on the key K, and transmits the encrypted data of a predetermined size to the IVI device 14 as response data.

  The state determination unit of the IVI device 14 decrypts the response data based on the key K, and acquires data in which the challenge and the hash value are connected as a decryption result. Since the data size of the challenge is already known, the state determination unit extracts the challenge and the hash value from the decrypted data according to the connection rule between the challenge and the hash value. For example, a predetermined byte from the beginning of the decryption result may be extracted as a challenge, and the remaining part may be extracted as a hash value.

  The state determination unit (1) the response time from the transmission of the challenge to the reception of the response data is within a waiting time threshold based on the size of the response data, and (2) the challenge extracted from the response data is The peripheral device 16 is determined to be normal when it matches the challenge transmitted to the device 16 and (3) the hash value extracted from the response data matches the hash value as the expected value stored in advance. On the other hand, the state determination unit determines that the peripheral device 16 is abnormal when at least one of the above (1) to (3) is not satisfied.

  According to the aspect of the third modification, it is difficult for the attack program existing in the ROM 36 of the peripheral device 16 to be disguised so that the data stored in the ROM 36 is normal, and is provided from the peripheral device 16 to the IVI device 14. Data amount can be reduced. Further, since the hash value generated by the peripheral device 16 does not flow directly through the communication network, security can be further enhanced. Further, since the challenge is determined at each inspection, the attack program cannot prepare response data in advance, and it is further difficult for the attack program to disguise the stored data in the ROM 36 as normal.

  In the third modified example, data is transmitted and received in a challenge / response manner, but the peripheral device 16 is configured to transmit a hash value of ROM data (ROM binary + random number sequence in the second embodiment) to the IVI device 14. Also good. Even in this configuration, it is possible to make it difficult for an attack program existing in the ROM 36 of the peripheral device 16 to be disguised so that the data stored in the ROM 36 is normal. Although not mentioned in the third embodiment, a plurality of update data may be stored in the ROM 36 of the peripheral device 16 as shown in FIG. The challenge transmission unit of the IVI device 14 may sequentially acquire the plurality of update data by designating the addresses of the plurality of update data stored in the ROM 36 in a random order. The state determination unit of the IVI device 14 may compare hash values for each update data.

  A fourth modification will be described. The ROM data acquisition unit 70 of the IVI device 14 may acquire data stored in a partial area of the ROM 36 of the peripheral device 16 each time the ignition of the vehicle 12 is switched from off to on. In other words, every time the ignition is turned on, a part of the ROM data of the peripheral device 16 is acquired, and when the ignition is turned on a predetermined number of times, the data acquisition of the entire area of the ROM 36 is completed. Good. For example, in the case of applying any of the data reading methods of FIGS. 11A to 11D, the data of the 1st area is acquired when the first ignition is turned on, and the data of the 2nd area is obtained when the second ignition is turned on. You may get it.

  According to this aspect, it is possible to shorten the time for each inspection process triggered by the ignition being turned on, and to prevent the execution of other processes from being hindered or delayed due to the execution of the inspection process. It should be noted that at least one of the read address and the read size is randomly determined so that a malicious program that may exist in the ROM 36 of the peripheral device 16 cannot predict the data requested to be provided (configuration of the third embodiment). Is preferred.

  A fifth modification will be described. The IVI device 14 may inspect the data stored in the ROMs of a plurality of devices to be inspected (peripheral devices 16, ECU 30) mounted on the vehicle. The IVI device 14 may execute inspection processes for a plurality of devices to be inspected in parallel or sequentially at one inspection timing, and distribute inspection processes for a plurality of devices to be inspected at a plurality of inspection timings. May be executed. Further, the IVI device 14 may transmit the inspection result for each device to be inspected to an external server (not shown).

  A sixth modification will be described. In the above embodiment, the inspection apparatus is the IVI apparatus 14, but the inspection apparatus is not limited to the IVI apparatus 14. For example, the inspection device may be a PC, a smartphone, a tablet terminal, or the like in which software for rewriting data in the memory of the peripheral device 16 is installed. In this case, the inspection apparatus and the peripheral device 16 may be connected by USB. The inspection device may be a server outside the vehicle 12, and in this case, the server and the peripheral device 16 may be connected via a network outside the vehicle 12 and the in-vehicle network 18.

  The scope of application of the techniques described in the above embodiments and modifications is not limited to devices related to the vehicle 12. Both the inspection device and the device to be inspected can be realized by various types of electronic devices (for example, a server, a PC, a smartphone, a tablet terminal, etc.). That is, according to the techniques described in the above-described embodiments and modifications, it is possible to improve the accuracy (in other words, accuracy) of determining the presence or absence of a malicious program in various types of electronic devices from the outside of the electronic devices.

  A seventh modification will be described. Although the IVI device 14 and the peripheral device 16 are connected via the in-vehicle network 18, a multi-stage in-vehicle network 18 configuration via a gateway device may be used.

  When there are a plurality of peripheral devices 16 in the IVI device 14, the size storage unit 60 and the hash value storage unit 62 are stored in a table, and the ROM data storage unit 64 is secured in a sufficient size and shared by the peripheral devices 16. It does not matter even if it is the composition to do.

  In the IVI device 14, the size information of the peripheral device 16 is stored in the size storage unit 60 and the hash value is stored in the hash value storage unit 62. The flag (value) written for the first time is recorded, and while this flag is present, the IVI device 14 may perform a method of not updating unless the update data of the peripheral device 16 is normal.

  The IVI device 14 may transmit the update result of the peripheral device 16 and the results of S28 and S30, S82 and S84 to a server not described, and the server may perform a centralized monitoring of the update status.

  When the update result of the peripheral device 16 in the IVI device 14 is abnormal in S30 or S84, from the server (separate route) after saving to the unrecorded log recording unit and notifying the unlisted server You can re-update.

  At the time of manufacturing at the factory, the IVI device 14 is initially available for the peripheral device 16 of another company, the value of the size storage unit 60 can be obtained from the hardware specification of the device, but the value of the hash value storage unit 62 I do not have (hash value). Thereafter, in the assembly process, the power source and the target device are connected via the in-vehicle network 18. In this step, the IVI device 14 secures the memory for all the ROM sizes of the peripheral device 16 in S12 with respect to the peripheral device 16, generates a random number in S44, reads the size storage unit 60 in S14 to S22, and S48 Generate update data containing random numbers. On the other hand, the hash value of S50 is generated and the hash value is recorded in the hash value storage unit 62. Then, update data including a random number is written to the peripheral device 16. In addition, the IVI device 14 records that update data including a random number has been written to the peripheral device 16 in a write-once (not writeable once) storage area. In this way, the IVI device 14 may generate and write update data including a random number to the peripheral device 16 in the assembly factory.

  In paragraph 0104 above, the IVI device 14 generates and writes update data including a random number to the peripheral device 16, but reads the ROM of the peripheral device 16 via OBD (On-board diagnostics) and connects to the OBD. The PC may generate update data including the random number in S48. Then, the size information of the peripheral device 16 is stored in the size storage unit 60, the hash value is stored in the hash value storage unit 62, and the update data including the random number is updated in the peripheral device 16 via the OBD. It doesn't matter.

Note that the techniques described in the examples and the modifications may be specified by the following items.
[Item 1]
A storage unit that stores determination data based on data stored in the entire area of the memory of the device to be inspected; an acquisition unit that acquires data stored in the entire area of the memory of the device to be inspected at a predetermined inspection timing; If the derivation unit for deriving the inspection data based on the data acquired by the acquisition unit, the inspection data derived by the derivation unit, and the determination data stored in advance in the storage unit do not match, the inspected device is abnormal And a determination unit that determines that the inspection device is included.
According to this aspect, it is possible to improve the accuracy (in other words, accuracy) by which the inspection device determines whether there is a malicious program in the device to be inspected.
[Item 2]
The data is different from the data of the program that defines the operation of the device to be inspected, and the data that is composed of all 0s or 1s in the empty area where the program data is not stored, or the data that is composed of repeated predetermined patterns. Data may be set.
According to this aspect, it is possible to make it difficult for an unauthorized program existing in the memory of the device under test to be disguised so that the stored data in the memory is normal.
[Item 3]
The different data may be a random number sequence.
According to this aspect, it is possible to make it more difficult for an unauthorized program existing in the memory of the device to be inspected to be disguised so that the data stored in the memory is normal.
[Item 4]
The different data may be compressed data.
According to this aspect, it is possible to make it more difficult for an unauthorized program existing in the memory of the device to be inspected to be disguised so that the data stored in the memory is normal.
[Item 5]
The determination unit determines that the device under test is abnormal if the time from when the acquisition unit requests the device to be inspected to provide data to the time when the data is provided exceeds a threshold corresponding to the size of the requested data. May be determined.
According to this aspect, even when a malicious program existing in the memory of the device under test is disguised so that the data stored in the memory is normal, it is easy to detect an abnormality of the device under test.
[Item 6]
The acquisition unit acquires the data stored in the entire area of the memory by repeating the acquisition of the data stored in the partial area of the memory of the inspected apparatus a plurality of times. A read address designated for each data acquisition may be determined at random.
According to this aspect, it is difficult for an unauthorized program existing in the memory of the device under test to disguise the stored data in the memory as normal, and an abnormality of the device under test is easily detected.
[Item 7]
The acquisition unit acquires the data stored in the entire area of the memory by repeating the acquisition of the data stored in the partial area of the memory of the inspected apparatus a plurality of times. The read size designated for each data acquisition may be determined at random.
According to this aspect, it is difficult for an unauthorized program existing in the memory of the device under test to disguise the stored data in the memory as normal, and an abnormality of the device under test is easily detected.
[Item 8]
An inspection system includes an inspection apparatus and an apparatus to be inspected. The data stored in the memory of the device to be inspected includes the data of a program that defines the operation of the device to be inspected, and data consisting of all 0s or 1s in a free area in which no program data is stored, or of a predetermined pattern. Data that is different from the data configured by repetition is set, and the inspected device is derived by the deriving unit that derives the inspection data based on the data stored in the entire area of the memory, and the deriving unit. A transmission unit that transmits the inspection data to the inspection device. The inspection apparatus determines that the inspected apparatus is abnormal when the storage unit that stores the determination data based on the data, the inspection data transmitted from the inspected apparatus, and the determination data stored in advance in the storage unit do not match. And a determination unit.
According to this aspect, an unauthorized program existing in the memory of the inspected device can make it difficult to disguise the stored data in the memory as normal, and the amount of data transmitted from the inspected device to the inspecting device can be reduced. Can be reduced.
[Item 9]
The inspection apparatus and the inspected apparatus may perform challenge / response communication, and the inspection apparatus may further include a transmission unit that determines the challenge and transmits the challenge to the inspected apparatus. The transmission unit of the device to be inspected generates response data based on the inspection data and the challenge, and transmits the generated response data to the inspection device, and the determination unit of the inspection device is based on the response data and the challenge, The inspection data derived in (1) may be acquired.
According to this aspect, since the inspection data transmitted by the inspected device does not flow directly through the communication network, security can be further enhanced. In addition, since the challenge is determined every time an inspection is performed, the response data cannot be prepared in advance by an unauthorized program, making it even more difficult to disguise the stored data in the memory of the inspected device as normal. .
[Item 10]
Information comprising: a generating unit that generates data stored in the memory of the device to be inspected for checking the normality of the data stored in the memory; and an output unit that outputs the data generated by the generating unit to an external device Processing equipment. The above data includes data of a program that defines the operation of the device to be inspected, data composed of all 0s or 1s in an empty area where program data is not set, or data composed of repeated predetermined patterns. Different data is set.
According to this aspect, it is memory data stored in the memory of the device to be inspected, and memory data suitable for detecting unauthorized programs can be provided.
[Item 11]
An inspection apparatus that inspects the normality of the inspected apparatus using the determination data stored in advance acquires the data stored in the entire area of the memory of the inspected apparatus at a predetermined inspection timing. An inspection method for deriving inspection data based on the result, and determining that the inspected apparatus is abnormal when the derived inspection data and the determination data stored in advance do not match.
According to this aspect, it is possible to improve the accuracy (in other words, accuracy) by which the inspection device determines whether there is a malicious program in the device to be inspected.
[Item 12]
In the inspection apparatus that inspects the normality of the inspected apparatus using the determination data stored in advance, the data stored in the entire area of the memory of the inspected apparatus is acquired at a predetermined inspection timing, and the acquired data is A computer program for deriving inspection data based on the result and causing the inspected apparatus to determine that there is an abnormality when the derived inspection data and the determination data stored in advance do not match.
According to this aspect, it is possible to improve the accuracy (in other words, accuracy) by which the inspection device determines whether there is a malicious program in the device to be inspected.

  Further, any combination of the above-described embodiments and modifications is also useful as an embodiment of the present invention. The new embodiment resulting from the combination has the effects of the combined example and modification. Further, it should be understood by those skilled in the art that the functions to be fulfilled by the constituent elements described in the claims are realized by the individual constituent elements shown in the embodiments and the modified examples or by their cooperation.

  DESCRIPTION OF SYMBOLS 10 Inspection system, 14 IVI apparatus, 16 Peripheral device, 20 Update data generation apparatus, 62 Hash value storage part, 70 ROM data acquisition part, 72 Hash value derivation part, 74 State determination part, 118 Update data generation part, 120 Hash value Derivation part.

Claims (12)

A storage unit for storing determination data based on data stored in the entire area of the memory of the device under test;
An acquisition unit that acquires data stored in an entire area of the memory of the device to be inspected at a predetermined inspection timing;
A derivation unit for deriving inspection data based on the data acquired by the acquisition unit;
A determination unit that determines that the inspected apparatus is abnormal when the inspection data derived by the deriving unit and the determination data stored in advance in the storage unit do not match;
An inspection apparatus comprising:   The data includes data of a program that defines the operation of the device to be inspected, data composed of all 0s or 1s in an empty area in which the data of the program is not stored, or data composed of repetition of a predetermined pattern The inspection apparatus according to claim 1, wherein different data is set.   The inspection apparatus according to claim 2, wherein the different data is a random number sequence.   The inspection apparatus according to claim 2, wherein the different data is compressed data.   The determination unit, when the time from when the acquisition unit requests the device to be inspected to provide data to when the data is provided exceeds a threshold corresponding to the size of the requested data, The inspection apparatus according to claim 1, wherein the inspection apparatus determines that an abnormality has occurred. The acquisition unit acquires the data stored in the entire area of the memory by repeating a plurality of times to acquire the data stored in the partial area of the memory of the device under test,
The inspection apparatus according to claim 1, wherein the acquisition unit randomly determines a read address designated by each of a plurality of data acquisitions. The acquisition unit acquires the data stored in the entire area of the memory by repeating a plurality of times to acquire the data stored in the partial area of the memory of the device under test,
The inspection apparatus according to claim 1, wherein the acquisition unit randomly determines a read size designated in each of a plurality of data acquisitions. An inspection device and an inspected device;
The data stored in the memory of the device to be inspected includes data of a program that defines the operation of the device to be inspected and data consisting of all 0s or 1s in a free area in which the program data is not stored. Data that is different from the data configured by repeating the pattern of
The inspected device is:
A deriving unit for deriving inspection data based on data stored in the entire area of the memory;
A transmission unit for transmitting the inspection data derived by the deriving unit to the inspection device,
The inspection device includes:
A storage unit for storing determination data based on the data;
A test unit including a determination unit that determines that the device to be inspected is abnormal when the test data transmitted from the device to be inspected and the determination data stored in advance in the storage unit do not match system. The inspection device and the device to be inspected perform challenge-response communication,
The inspection apparatus further includes a transmission unit that determines a challenge and transmits the challenge to the inspected apparatus,
The transmission unit of the device to be inspected generates response data based on the inspection data and the challenge, and transmits the generated response data to the inspection device.
9. The inspection system according to claim 8, wherein the determination unit of the inspection apparatus acquires inspection data derived by the inspected apparatus based on the response data and the challenge. A generator for generating data stored in a memory of a device under test whose normality of data stored in the memory is inspected;
An output unit for outputting the data generated by the generation unit to an external device;
With
The data includes data of a program that defines the operation of the device to be inspected, data composed of all 0s or 1s in an empty area where the data of the program is not set, or data composed of repetition of a predetermined pattern An information processing apparatus characterized in that different data is set. An inspection apparatus that inspects the normality of the inspected apparatus using the determination data stored in advance,
At a predetermined inspection timing, obtain data stored in the entire area of the memory of the inspected device,
Deriving inspection data based on the acquired data,
An inspection method, wherein the inspected apparatus determines that an abnormality occurs when the derived inspection data and the determination data stored in advance do not match. In the inspection apparatus that inspects the normality of the inspected apparatus using the judgment data stored in advance,
At a predetermined inspection timing, obtain data stored in the entire area of the memory of the inspected device,
Deriving inspection data based on the acquired data,
When the derived inspection data and the preliminarily stored determination data do not match, the inspected device is determined to be abnormal.
A computer program that causes things to be executed.

Images